oAuth

Modern app development made easier with 3scale and Stormpath

We’re happy to announce we’ve added a new integration for Stormpath, available for all 3scale plans starting today, which simplifies adoption of the complicated OAuth authentication flow. Our partnership with Stormpath provides complete identity management for 3scale customers and brings radical simplicity to modern app development. 3scale continues to be the best platform on which to build OAuth-powered APIs.

“The integration with Stormpath is the latest step from 3scale in becoming the standard for sophisticated APIs. We know that, due to the complexity of today’s development, in-house options are less feasible. This new partnership will make it easier than ever for API providers to implement a complete identity layer.”
– Steven Willmott, 3scale CEO

The integration is a powerful tool for any API provider who needs identity management. Stormpath is a …

Reduce Friction And Increase Adoption Of Your API

We have added OAuth 2.0 support to our Developer Portal to reduce signup friction and allow developers to have faster access to your API. We started with GitHub authentication first since it’s the most popular tool among the developer community and plan to add more Identity Providers (IdP) and tools such as Auth0, which provide Identity and Access Management (IAM) capability.

This functionality is now available on all 3scale customer developer portals – make sure to enable it on yours! We expect it to have a positive effect on the number of new developers trying out your API, which should increase adoption. To set it up, these simple steps.

A bit of history…

In the early stages of the Internet, we logged in to digital resources with usernames and passwords. Remember that scary grey box? With the “OK” and “Cancel” buttons? This process has be…

We are pleased to announce that implementing OAuth2 flows in the 3scale API Gateway is now easier than ever with the new option to configure OAuth2 flows directly from the proxy integration wizard. This allows your 3scale API Gateway to act as an OAuth2 provider supporting the authorization code grant by making this configurable from the 3scale proxy integration wizard. We hope that these enhancements will make the adoption of OAuth2 for your API quicker and easier by letting the 3scale API Gateway take care of issuing and managing access tokens for your third party applications.

A lot of API providers are increasingly concerned with the security of the data they expose through their APIs, especially if that data belongs to the end users of your service. As an API provider, you want to allow your end users to take advantage of the widest possible application eco-system built on top of your API, but you also want to ensure that the data y…

With the growing popularity of APIs also increases the risks of security flaws. API security needs to be carefully considered right from the start of an API project and in API design. The Bitly/MSNBC case is a perfect example of why.

Flexibility, scalability and security are probably the main keywords we tried to keep in mind during the API development.

Interview with Vivien Genet, Senior Developer at Jamendo.

Tell us more about the development process of the Jamendo API
When we decided to redesign Jamendo, we quickly thought that the API should be a priority in our planning: first, because it is THE main way for Jamendo to live outside www.jamendo.com (on social networks, mobiles, etc.), and second, because the migration of existing applications (based on our previous API) will take some time.

To develop the new API, we have used the Zend framework (as for the website) but we made a sub-framework specifically for the API to make it easier to change.

The App developer (consumer of the API) gets its client_id and client_secret via the buyer portal (in case of oAuth v1 would be consumer_key, etc.). These keys get provisioned after the account is validated, or by the provider through their portal, or via the Account API (e.g. Legacy systems or buyer portals not based on 3scale’s).

The App developer does the requests to the API as per standard oAuth, any library is supported since he knows its client_id and client_secret. Regardless if it’s a call to the API or or the GetAccessToken the client_id is always sent to the API provider (even once the access_token has been granted). The request is signed with his client_secret.

The API provider calls 3scale’s backend with the client_id from the requ…